If you believe you have found a security vulnerability in verify-safe-to-test-label, please report it privately using GitHub’s “Report a vulnerability” feature.
- Open the Security tab.
- Click Report a vulnerability.
- Submit a private report with details and a proof of concept if possibls.
Please do not open a public issue for security vulnerabilities.
To help us investigate quickly, please include:
- A description of the vulnerability
- Steps to reproduce
- A minimal proof of concept (PoC) or example workflow
- The potential impact (e.g., bypass of the label gate, unintended repository access, secret exposure)
This policy applies to:
- The GitHub Action code
- The label verification logic
- Permission handling
- Any behavior that could allow bypassing the approval gate
We ask reporters to follow responsible disclosure and allow time for a fix before publicly sharing details.
Thank you for helping keep the GitHub Actions ecosystem secure.